WordPress Security – 20 Ways to Keep your WordPress Blog Safe

Now most of the companies in the world use blog to grow and expand their business. They use websites to support their marketing campaign. As a responsible websites owner you don’t want to hand your website to someone that could use your websites for some malicious work. It was reported that 86% of websites have at least one serious vulnerability. In 2015 Google reported that hacking had increased 180% percent from the previous year. According to Forbes – on an average 30000 websites are hacked every day.

Hackers can view your personal information and misuse it. They can use your resources i.e. – websites for their personal objective. Now many corporate also hire hackers to steal trade secrets and to infiltrate competition.

The majority of website breaches is not to steal your data or vandalize your blog, they use your server to run an Email funnel of spam, or to setup your sever as their temporary web server to serve illegal files.

They always look for a website that has high vulnerability for least resistance to them. Generally most of the hacking is done by automated scripts to attack the vulnerable portions of your website security but also there are huge hackers who always look for susceptible areas of your security.

WordPress is the most popular platform for creating blog and CMS system and that’s why it is important target for hackers.

Of all the websites that were hacked in 2015, 75% of them were of wordpress platform. Why word press websites are so vulnerable to security breach? Because it takes only 2 minutes to create a wordpress blog, all you need to do is press button and wordpress gets automatically installed.

This free one-click tool provides an easy option for unskilled service providers and webmaster to develop and administer such websites. Perhaps this is one of those reasons why the most infected websites in the world are of wordpress platform. It takes only 2 minutes to create a website on wordpress platform but these websites are an easy target for hackers because of their low security.

ways-to-keep-your-wordpress-blog-safe

There are various ways to keep your website secure from hackers who seek to penetrate your wordpress blog security.

1) Admin account:

This is first and an obvious thing that comes in mind of a hacker is its administrator account. Choosing a clear and obvious login/username like “Admin” should be avoided as possible.

Username in wordpress can’t be changed once meanwhile installing.

So you can create a new user account in USER >add new and give it administrator role.

2) Switching account:

Choose a different account for different purpose like Subscribers, contributor, author, editor and administrator account. Using administrator account for each purpose can be very risky for your website. For Example if you are working with content like editing/publishing using editor account can be very effective in securing your blog from security breach.

You can create an Editor account by USER>add new and assign it Editor Role.

3) Right Web Host:

The right selection of web host can help you making your website less vulnerable. According to report almost 41 % of WordPress blogs get hacked through their hosting server. It is leading source for hacker to access your website.

The hackers also try to hack the hosting because in this way they can infect more no. of users with less effort.

Attention : How To Launch A Self-Hosted WordPress Blog: In 10 Minutes Or Less

4) Security Plugins:

If you are using self hosted blogs then security is your priority – because you don’t want hackers to access over your blogs.

There are numerous security plugins that could be available to you but you should choose them wisely for security of your website.

Some of most trusted security plugins are:  Sucuri, Word Fence and bulletproof-security.

5) Password: 

Every expert will tell you the importance of choosing a complex and strong password. Do not ever use a password combination that is easy to decode like your name and some alphanumeric letters.

Try this strategy to generate an unbreakable password:

  • Common words: Avoid dictionary words, names and places in your password.
  • Length: Do always have a password of at least 8 characters. It takes 10 minutes to break a password of 6 characters and 4 months to break a password of 8 characters.
  • Mixing: Try impressive use of uppercase and lowercase characters that is hard to guess. Use spelling, numbers and punctuation in effective way.
  • Note: Never note your password on a place which is in reach of other.

5) Login attempts:

Limiting your attempts make sure that bot or even human can’t guess your password.  They may not guess your password in 20-30 attempts but they will succeed in multiple attempts. If you are using a complex password then no. of attempts will be higher. Limiting login attempts with a suitable plugin like Login LockDown will prevent attempts to guess password.

6) Update WordPress:

Updating wordpress could seem nothing to do with website security but an older version of wordpress is vulnerable to malicious attacks. Report says that almost 55% of websites that have been hacked in 2015 were of outdated WordPress version.  Wordpress also announced that all versions of wordpress before 3.9.2 were easy target to cross-site scripting hacks.  With every new release of wordpress they publish a detail change log guide, in change log guide they describe about every bug they have fixed. It is like a manual for hackers.

7) Update plugin:

Almost 21% of wordpress blog are hacked through plugins. The outdated plugins are more susceptible to get hacked through various codes that are generated by the hackers. Weaker plugins have bugged codes or SQL queries that may be injected to get data and information about your websites. Do not install a plugin from unreliable sources. Always prefer to download plugins from wordpress official website to avoid any problem.

Updating a plugin will allow you to prevent your websites from getting hacked because by default updated wordpress plugins have index.php executable files attached with each directory.

By default, the htaccess file is generally saved into a wordpress installation as htaccess.default – if that is the case then manually edit it and rename it to .htaccess. In a very rare case if the .htaccess file isn’t available in your server then manually create a text document and upload it by the name of “.htaccess”.

8) Captcha:

Captcha is a program that prevents websites from bots. Allowing captcha into your blog ensures prevention of bots and automated programs to generate spam in your blog. Using recaptcha in your blog makes an easy prediction that user is a human or bot.

9) Wp-config file:

If you are using server with .htaccess, you can place wp-config file at very top to deny access for everyone for surfing.

While there is minimum benefits in doing this step – however it does not hurt for being extra careful. wp-config is a file that is usually found in the root of the wordpress installation, but moving it to the wp-include folder gives it an extra layer of protection. One needs to configure .htaccess to make sure wordpress finds the file. Keep the minimum permission for this file – 400 or 440 should be enough.

Depending on your web hosting – this step might not work for you and in that case, just revert back to how things where previously.

10) Data backup:

Backing up data doesn’t help you in preventing from attacks but if your website is attacked then this backup file will allow you to restore all the things in quick- time.

You should regularly backup your data including your MySQL data. This backup will allow you to rebuild your website and tell you the issues due to which your website is compromised.

Many of the websites have faced this problem because they didn’t maintain a regular backup of their data. They finally gave-up in rebuilding the websites because without backup it is almost impossible to rebuild a website.

11) Delete unwanted plugin and themes:

Some of websites owner don’t know the fact that keeping an unused plugins and themes can also open a gate for the hackers.
Although they are not activated still they can feed your data continuously to the hackers. Their source file is still on your server which makes your website vulnerable. Hackers find this as an easy target because owners don’t give much attention to security for an unused themes and plugins. You should always permanently delete the plugins and themes that you don’t use for your WordPress blog anymore.

12) Monitoring:

However precaution you may take, still chances are there that your website might be hacked.  Waiting for website to be infected and then taking measures is not a good practice at all.  There are always some themes, plugins, links and other files are there which can be used to get access to your website. That’s why installing scanning security plugins is important for regular scan of your blog and notify you if some of your files have changed.

Website owner can monitor their websites through various technologies like: system utilities, revision control and OS level monitoring. In this way, you can react and recover your website faster by following the traces that is left behind.

13) Virus protection and Firewall:

If you are allowing malware to attack your computer and to access personal data based on your internet activity then it is a big threat. Although you applied high security on your wordpress and web server, if your computer is infected then hackers will still be able to access your website. Always install good antivirus, Malware and firewall software on your computer to prevent it from attack. The web browser you use should also be updated to prevent from attack. If you are using any untrusted sites then always disable javascipt/ flash in browser.

Attention : Incapsula Review 2016: How It Can Make Your Website Faster

14) Protect your wp-admin directory:

Setting up password for wp-admin directory on your site is different from wordpress user account. Until a correct combination of username and password is supplied it will show an error “401 Unauthorized “and prevent loading your page from that directory. The user name and password for that directory should not be identical to your wordpress account causing an extra layer of security into your blog. In this way webmasters are able to protect those files that they want a limited access.

15) Database security:

Not only you can set up hard security on your files but also on database to check permission.  Changing table prefix of wordpress database from wp_ to another name that is harder to guess for hacker is regarded as good practice to secure your data. It can be changed during installation, if you have not changed it during installation then don’t worry, you can still change it later by suitable security plugin or through phpMyAdmin.  You can also use XSS and SQL injection to keep your data secure.

XSS allows you to check data before being submitted and encode to strip out Html. The hackers try to pass javascript/flash script to run a malicious code for readers of your website.

The hacker uses SQL injection to use url parameter/ form field to access and manipulate your database. You can use parameterised queries easily to prevent SQL injection attack in most of web languages.

16) SSL:

SSL is a protocol that allows you to encrypt the connection between your web server and reader’s browser. It prevents a third party to read your data during file is transferred between web server, database and website.

You can force login over SSL by editing wp-config file by: define(‘FORCE_SSL_ADMIN’, true);  It purely depends on the web host you use, But most of them provide this facility. After you get the SSL certificate you need to integrate it with your wordpress website.

17) Disable XML-RPC:-

The all wordpress version after 3.5 have XML-RPC turned on by default. It can be a great threat for your website security. Generally most of the website owner doesn’t use xmlrpc for any purpose. You can either delete xmlrmc.php file or block it to get access from all users.

18) Disable pingback and trackbacks:

Pingbacks and trackbacks can be used to operate DDos attacks into your websites.  So best is to disable pingbacks coming from other websites:

Go to settings->discussion and just uncheck the box that says: allow notification from other blogs (pingbacks and trackbacks) on new articles.

19) Malware detection:

Malware are intrusive software that includes malicious web scripts to infect your Website. Any Web owner doesn’t want a malware attack on his website because it affects ranking and credibility of your blog. Always read regularly on GSC( Google search console) and security websites about recent  malware that is running and solution to prevent it for your website.

20) Hide wordpress admin/ login name:

You are making a big mistake towards you website security if you are not hiding your admin name. If hackers will find out your admin user name then it will be a lot simpler to compromise your website through brute force attack.

You can hide your wordpress username by running following codes in functions.php file:-

add_action(‘template_redirect’, ‘bwp_template_redirect’);

function bwp_template_redirect()

{     if(is_author( ))

{

Wp_redirect( home_url() );

exit;

}

}

You can also use wordpress security plugins to carry out this task.

You should remember that wordpress blogs are favourite websites for the hackers. As the technology is evolving to stop these attacks, they are also creating new ways to infiltrate through your website. They can steal your information and data and misuse it in many ways. They can either use your server for their illegal purpose, they can use your websites to run their spam campaign, they can use your website for things like malware distribution and SEP attack and your personal account information can be used to steal money from your bank account. Whatever the purpose behind security breach, you don’t want your website to be accessed by anyone else. If you haven’t setup a hard security for your wordpress blog then it is a big reason to worry. If your website is hacked then your website ranking and its SEO is also degraded considerably because people don’t want to visit a hacked website and threat their own website too, which is almost impossible to rebuild.

These security methods will allow you to secure your data so that you can sleep in peace without worrying about your website’s security.

How do you found this post useful? If you have any doubts and suggestions feel free to share your views with me.

Recommended Hosting

InMotion
inmotion logo new
High performance
Preferred choice for WordPress
Uptime
A limited number of site add-ons

Pros

  • 90-day money-back guarantee
  • Unlimited disk space
  • Free data backups & SSDs
  • Starts from $4.89/Month

Cons

  • Database/Website Limitations
  • Upsells & Supporting Services Issues
  • Checkout procedures are confusing
Bluehost
Bluehost logo new
Support
Features
Money-back Guarantee
Migration
Security Issue

Pros

  • Free Domain
  • Unlimited Bandwidth
  • Money-back Guarantee

Cons

  • Limited CPU Usage
  • Customer support in Bluehost is pretty slow
  • Bluehost only has one set of DNS:
About Saurav Kumar

Saurav is a full time blogger and a growth hacker at Temok. Find him on Twitter and Linkedin

3 Comments

  1. Useful article thanks. It seems that you have in article 2points №5.

    I’ve lost count how many times I remove viruses from their WordPress sites. The most malicious virus was heur script.

    I fully confirm statistics. If the site is on a free engine (such sites 90%), then this site can be hacked.

    The most important safety rule is to regularly update the plug-ins and site engine.

    Reply  
  2. Die casting mold

    Useful article thanks. It seems that you have in article 2points №5.

    I’ve lost count how many times I remove viruses from their WordPress sites. The most malicious virus was heur script.

    Reply  
  3. Ajay Sharma

    Your article is very informative. I have learned many safety rules from this article. I am trying to put these safety rules in my practice.

    Reply  

Leave a Reply

Your email address will not be published. Required fields are marked *